For the second time this year, Apple has blacklisted the Java Web plugin on OS X. The block, which was revealed on an Apple discussion board, applies to the current version of the plugin after an earlier attempt to patch a critical vulnerability was found to have not fixed the issue. The plugin could still be exploited despite Oracle putting security mechanisms in place.
Apple was strongly against having its own version of the Java virtual machine for OS X and instead deferred development to Oracle itself. The browser plugin has become a common point for malware attacks. However, those needing the plugin must install it separately.
Java plugin has been blocked by Apple's Safari browser
Apple has boosted security controls in OS X by including a mechanism that forces Safari to use a minimum specified version of various plugins, such as Flash or Java. When security vulnerabilities are discovered in various plugins, Apple can update this blacklist to specify which version is acceptable. It must be noted though, that if you want to use Java applets for specific functions, you can still use the platform through other browsers such as Chrome or Firefox.
The mechanism, which is known as Xprotect, effectively blocks the Java Web plugin by specifying a future version number that hasn't been released. The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21. In fact, Apple used this technique earlier this month when a critical exploit in the plugin was discovered by security researchers and was determined to be a serious threat to systems.
Earlier this month, Oracle was called on for a quick fix for the bug after security researchers had found a breach point. The company released the aforesaid new version of the Java plugin. However, it now seems that the fix wasn't complete, but Oracle had set the plugin's default security setting to “high,” which required users to click “OK” to run any unsigned or self-signed Java applets. Java applets signed by trusted authorities could still be run without user intervention.
Unfortunately, the security mechanism itself turned out to be vulnerable due to additional bugs discovered in the Java frameworks. Security researchers earlier this week found that the bug could allow unsigned Java applets to run inside a browser without prompting a user to allow its execution, a situation which Oracle had thought could be eliminated.